01-31-2008 11:01 PM - edited 03-10-2019 03:58 AM
Hi,
can anyone explain clearly this signature plz ? when does it fire ?
if i am seeing for example this signature fires from x.x.x.x to my mail server y.y.y.y:25 HTTP, what does this mean ?
thank you
02-01-2008 07:11 AM
Generally speaking, HTTP connect tunnels are used by HTTP proxies to support SSL connections from browsers. The HTTP proxy basically acts as a TCP level proxy, and it doesn't care about the application layer. What this means is that just about any application can be tunneled.
see:
http://www.kb.cert.org/vuls/id/150227
There have been numerous instances where applications allowed this kind of behavior.
http://www.securityfocus.com/bid/4131/info
http://www.securityfocus.com/bid/4131/discuss
I have seen these attempts on port 25 and I'm not quite sure what the point is. Perhaps there was an SMTP service that had this problem? Or, the script is just crap. The more typical use would be to connect to an HTTP proxy (like on port 80 or 8080) and to attempt a "CONNECT mail.yourdomain.com 25" so that I can send SPAM anonymously.
02-01-2008 05:41 PM
This alert will trigger when users establish WebEx meetings, and also for services like GoToMyPC. I've blocked any access to GoToMyPC using ACLs (inbound and outbound), but have to leave WebEx open since there's a business justification.
I'd check the IP address in question, and if it looks OK just add a Filter to prevent the alert.
I'd also suggest doing Log Pair Packets and running the results through WireShark. You'll get much more of the exchange and (hopefully) figure out if its malicious or not.
I'm hoping to get to the point where I can block this outright (except for WebEx), but I'm not quite there yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide